Vulnerability Scan Result

Target:

https://https-vwww-roblox.com/users/2089973126/profile

Scanned target: https://https-vwww-roblox.com/users/2089973126/profile

Submitted: January 21, 2025 from PE

Public scan

Scan mode: Passive (non-intrusive)

finished

Summary

high

Info

Low

Medium

High

Critical

Screenshot

Title:	Nisacute - Roblox
Description:	Nisacute is one of the millions creating and exploring the endless possibilities of Roblox. Join Nisacute on Roblox and explore together!

IP Information

IP address	174.138.20.68
Country	SG
AS number	AS14061
Net name	Digitalocean LLC

Open Ports

21/tcp	ftp	ProFTPD
22/tcp	ssh	OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
25/tcp	smtp	Exim smtpd 4.95
80/tcp	http	nginx 1.26.2
110/tcp	pop3	Dovecot pop3d
143/tcp	imap	Dovecot imapd
443/tcp	https	nginx 1.26.2
465/tcp	smtp	Exim smtpd 4.95
587/tcp	smtp	Exim smtpd 4.95
993/tcp	imaps
995/tcp	pop3s
8888/tcp	http	nginx

Web Technologies

Software / Version	Category
AngularJS	JavaScript frameworks
Google Analytics GA4	Analytics
Nginx 1.26.2	Web servers, Reverse proxies
PHP	Programming languages
Google AdSense	Advertising
Google Tag Manager	Tag managers

Web Application Vulnerabilities

Evidence

URL	Cookie Name	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	PHPSESSID	The server responded with Set-Cookie header(s) that does not specify the HttpOnly flag: Set-Cookie: PHPSESSID=1ijuki63mh34nrhffnikacnoi9

Vulnerability description

We found that a cookie has been set without the <code>HttpOnly</code> flag, which means it can be accessed by potentially malicious JavaScript code running inside the web page. The root cause for this usually revolves around misconfigurations in the code or server settings.

Recommendation

Ensure that the HttpOnly flag is set for all cookies.

Classification

CWE	CWE-1004
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Cookie Name	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	PHPSESSID	Set-Cookie: PHPSESSID=1ijuki63mh34nrhffnikacnoi9

Vulnerability description

We found that a cookie has been set without the <code>Secure</code> flag, which means the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. The root cause for this usually revolves around misconfigurations in the code or server settings.

Recommendation

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Classification

CWE	CWE-614
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response.

Vulnerability description

We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.

Recommendation

The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	Response does not include the HTTP Content-Security-Policy security header or meta tag

Vulnerability description

We noticed that the target application lacks the Content-Security-Policy (CSP) header in its HTTP responses. The CSP header is a security measure that instructs web browsers to enforce specific security rules, effectively preventing the exploitation of Cross-Site Scripting (XSS) vulnerabilities.

Recommendation

Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	Response headers do not include the X-Content-Type-Options HTTP security header

Vulnerability description

We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.

Recommendation

We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL	Evidence
https://https-vwww-roblox.com/users/2089973126/profile	Response headers do not include the HTTP Strict-Transport-Security header

Vulnerability description

We noticed that the target application lacks the HTTP Strict-Transport-Security header in its responses. This security header is crucial as it instructs browsers to only establish secure (HTTPS) connections with the web server and reject any HTTP connections.

Recommendation

The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows: `Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]` The parameter `max-age` gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A value below 7776000 is considered as too low by this scanner check. The flag `includeSubDomains` defines that the policy applies also for sub domains of the sender of the response.

Classification

CWE	CWE-693
OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

Software / Version	Category
AngularJS	JavaScript frameworks
Google Analytics GA4	Analytics
Nginx 1.26.2	Web servers, Reverse proxies
PHP	Programming languages
Google AdSense	Advertising
Google Tag Manager	Tag managers

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Evidence

URL
Missing: https://https-vwww-roblox.com/.well-known/security.txt

Vulnerability description

We have noticed that the server is missing the security.txt file, which is considered a good practice for web security. It provides a standardized way for security researchers and the public to report security vulnerabilities or concerns by outlining the preferred method of contact and reporting procedures.

Recommendation

We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.

Classification

OWASP Top 10 - 2017	A6 - Security Misconfiguration
OWASP Top 10 - 2021	A5 - Security Misconfiguration

Infrastructure Vulnerabilities

Evidence

Risk level	CVSS	CVE	Summary	Exploit
	7.5	CVE-2022-37451	Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.	N/A
	5.3	CVE-2023-51766	Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.	N/A

Vulnerability description

Vulnerabilities found for Exim Smtpd 4.95

Recommendation

We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.

Evidence

Risk level	CVSS	CVE	Summary	Exploit
	7.5	CVE-2022-37451	Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.	N/A
	5.3	CVE-2023-51766	Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.	N/A

Vulnerability description

Vulnerabilities found for Exim Smtpd 4.95

Recommendation

We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.

Evidence

Risk level	CVSS	CVE	Summary	Exploit
	7.5	CVE-2022-37451	Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.	N/A
	5.3	CVE-2023-51766	Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.	N/A

Vulnerability description

Vulnerabilities found for Exim Smtpd 4.95

Recommendation

We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.

We managed to detect a publicly accessible SSH service.

Starting Nmap ( https://nmap.org ) at 2025-01-21 09:05 EET
Nmap scan report for https-vwww-roblox.com (174.138.20.68)
Host is up (0.17s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.22 seconds

Vulnerability description

We found that the SSH service with username/password authentication is publicly accessible. Network administrators often use remote administration protocols to control devices like switches, routers, and other essential systems. However, allowing these services to be accessible via the Internet can increase security risks, creating potential opportunities for attacks on the organization.

Recommendation

We recommend turning off SSH with username/password authentication access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the SSH service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, it is advisable to utilize SSH Public Key Authentication since it employs a key pair to verify the identity of a user or process.

We managed to detect a publicly accessible File Transfer Protocol (FTP) service.

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD

Vulnerability description

We found that the File Transfer Protocol (FTP) service is publicly accessible. The FTP enables client systems to connect to upload and download files. Nonetheless, FTP lacks encryption for the data exchanged between the server and the client, leaving all transferred data exposed in plaintext.

Recommendation

We recommend turning off FTP access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the FTP service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, utilizing SFTP (Secure File Transfer Protocol) is recommended as this protocol employs encryption to secure data transfers.

Evidence

Domain Queried	DNS Record Type	Description	Value
https-vwww-roblox.com	A	IPv4 address	174.138.20.68
https-vwww-roblox.com	NS	Name server	cash.ns.cloudflare.com
https-vwww-roblox.com	NS	Name server	dalary.ns.cloudflare.com
https-vwww-roblox.com	SOA	Start of Authority	cash.ns.cloudflare.com. dns.cloudflare.com. 2362479303 10000 2400 604800 1800
https-vwww-roblox.com	TXT	Text record	"google-site-verification=Z9sFGhH5Iq3x00MCmb8V3yPLWyPCN0_BITSBJlH-ERQ"

Recommendation

We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.

Operating System
Linux 5.4

Evidence

Software / Version	Category
Nginx 1.26.2	Web servers, Reverse proxies

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.